Overview

overview

9

Static

static

3

Creed_All_Spoofer.rar

windows7-x64

3

Creed_All_Spoofer.rar

windows10-2004-x64

3

Creed All ...ed.exe

windows7-x64

9

Creed All ...ed.exe

windows10-2004-x64

9

Creed All ...ad.txt

windows7-x64

1

Creed All ...ad.txt

windows10-2004-x64

1

Creed All ...ao.exe

windows7-x64

1

Creed All ...ao.exe

windows10-2004-x64

1

Creed All ...un.bat

windows7-x64

1

Creed All ...un.bat

windows10-2004-x64

1

Creed All ...OP.exe

windows7-x64

1

Creed All ...OP.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 23:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Creed All Spoofer/Creed.exe

  • Size

    22.8MB

  • MD5

    0ede063d189d5176683244c62cb160a7

  • SHA1

    9a1aedd08f3bb29390cce31a5d16eaa8681c6089

  • SHA256

    499ec15d37c4816953ea43ef49043143341cde6b95ba447d1791c40f80f6b5b9

  • SHA512

    acb404002ac791e906f32ad4290984edafee899748ac0b924a838d20107b9e7c3b64631b7ea83e3592d174e6a92434922aa6a1832a7fb9cb5d8ac8f762609bb0

  • SSDEEP

    393216:r67Ft/tiAuJOzzZRFMCcCLVzSordVGGtdmaD3U38UfXkOuthQnjs84GFmQClq23m:r67Ft/tiAuJOzzZRFMCcCLVzSordVGGs

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Creed All Spoofer\Creed.exe
    "C:\Users\Admin\AppData\Local\Temp\Creed All Spoofer\Creed.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\system32\cmd.exe
        cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:3868

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3a0b1bb1-7c16-4f71-ad2c-897da5c5f1cf\loader.dll
          Filesize

          4.2MB

          MD5

          05b012457488a95a05d0541e0470d392

          SHA1

          74f541d6a8365508c794ef7b4ac7c297457f9ce3

          SHA256

          1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

          SHA512

          6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

          Download Submit

        • memory/1612-20-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-30-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-8-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-9-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-21-0x000001A82F590000-0x000001A82F880000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1612-12-0x00007FFE21CA0000-0x00007FFE21DEE000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1612-13-0x000001A811EC0000-0x000001A811ED2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1612-14-0x000001A82E060000-0x000001A82E09C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1612-15-0x000001A82E900000-0x000001A82E994000-memory.dmp

          Filesize

          592KB

          Download

        • memory/1612-16-0x000001A82E990000-0x000001A82EADE000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1612-17-0x000001A82C010000-0x000001A82C024000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1612-19-0x000001A82E570000-0x000001A82E57A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1612-1-0x000001A8103C0000-0x000001A811A8A000-memory.dmp

          Filesize

          22.8MB

          Download

        • memory/1612-18-0x000001A82E560000-0x000001A82E566000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1612-11-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-22-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-23-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-24-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-26-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-25-0x00007FFE23813000-0x00007FFE23815000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1612-27-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-28-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-29-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1612-0-0x00007FFE23813000-0x00007FFE23815000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1612-31-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-32-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-38-0x00007FFE20490000-0x00007FFE21014000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1612-39-0x00007FFE23810000-0x00007FFE242D1000-memory.dmp

          Filesize

          10.8MB

          Download